proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-27 15:49:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enable default seccomp profile for all distros

Browse Source 
This updates the common config to include Serge's seccomp profile by
default for privileged containers.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Stéphane Graber 2014-07-01 21:38:18 -04:00
parent 616d626b4e
commit 6e39e4cbff
6 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/templates/Makefile.am
View File

@ -1,6 +1,6 @@
templatesconfigdir=@LXCTEMPLATECONFIG@ templatesconfigdir=@LXCTEMPLATECONFIG@
EXTRA_DIST = ubuntu.priv.seccomp EXTRA_DIST = common.seccomp
templatesconfig_DATA = \ templatesconfig_DATA = \
archlinux.common.conf \ archlinux.common.conf \
@ -8,6 +8,7 @@ templatesconfig_DATA = \
centos.common.conf \ centos.common.conf \
centos.userns.conf \ centos.userns.conf \
common.conf \ common.conf \
common.seccomp \
debian.common.conf \ debian.common.conf \
debian.userns.conf \ debian.userns.conf \
fedora.common.conf \ fedora.common.conf \
@ -26,6 +27,5 @@ templatesconfig_DATA = \
ubuntu-cloud.userns.conf \ ubuntu-cloud.userns.conf \
ubuntu.common.conf \ ubuntu.common.conf \
ubuntu.lucid.conf \ ubuntu.lucid.conf \
ubuntu.priv.seccomp \
ubuntu.userns.conf \ ubuntu.userns.conf \
userns.conf userns.conf

4
config/templates/common.conf.in
View File

@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

0
config/templates/ubuntu.priv.seccomp → config/templates/common.seccomp
View File

4
config/templates/ubuntu.common.conf.in
View File

@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's ## To use loop devices, copy the following line to the container's
## configuration file (uncommented). ## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm #lxc.cgroup.devices.allow = b 7:* rwm
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp

4
config/templates/ubuntu.userns.conf.in
View File

@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf
# Extra fstab entries as mountall can't mount those by itself # Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
# Default seccomp policy is not needed for unprivileged containers, and
# non-root users cannot use seccmp without NNP anyway.
lxc.seccomp =

4
config/templates/userns.conf.in
View File

@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
# Default seccomp policy is not needed for unprivileged containers, and
# non-root users cannot use seccmp without NNP anyway.
lxc.seccomp =